On Thu, Feb 8, 2024 at 3:56 PM Mark Reynolds <mareynol@redhat.com> wrote:

What version of 389-ds-base is installed? There were bugs around csn location that were fixed in the very latest version of the LDAP server on RHEL 7.9. So make sure you are running the latest version of 389-ds-base.

this is 1.3.10.2-12.el7_9

so not the latest one. And I cannot update right now because of other issues. Does this version have this csn problem?

As for replication being broken, you can confirm this by making a "dummy" change somewhere and checking if that change is present on the other replicas (give it some time to replicate of course, but it shouldn't take more than a few seconds).

As for re-initializing just make sure you are initing from the most current/accurate replica.

yes, I saw we can use ipa topologysegent-reinitialize with just the domain suffix, so this should avoid overwriting the CA suffix (phew).

Thanks.